IT ACT AND E-SIGN

The Information Technology Act 2000 (hereinafter IT Act) was enacted to provide legal recognition to the transactions carried out by electronic means such as e-commerce and also to facilitate e-governance. E-governance means electronic governance where information and communication technologies are used at various levels of government and the public sector and beyond, for the purpose of enhancing governance.

In this context, an electronic signature plays a vital role in securing the interest of the players of e-governance. There are two fundamental principles for a signature to be legally enforceable

  • it must carry out the function of a traditional signature
  • there must be an express or implied indication of the intention of the signer of the document to adopt the information contained in the document.

It is highlighted that a signature performs three main functions

  • identification
  • evidence of personal involvement
  • and attribution.
The IT Act provides four types of signatures:
  • Electronic Signature: Section 5 of the IT Act states that where any law provides that information shall be authenticated by affixing a signature or any document shall bear the signature of any person, then that requirement shall be deemed to have been satisfied if an electronic signature has been affixed in such manner as prescribed by the central government. Electronic signature has been defined under Section 2(ta) as 'authentication of any electronic record by a subscriber by means of an electronic technique specified in the second schedule and includes a digital signature.’ Authentication means linking information in the electronic form to a person or entity.
  • Reliable electronic signature: Section 3A of the IT Act provides for a reliable electronic signature. It lays down the criteria for the authentication of an electronic record by a subscriber by using an electronic signature or electronic authentication technique. It states that a subscriber may authenticate any electronic record by such an electronic signature or electronic authentication technique which is considered reliable, and may be specified in the Second Schedule. It further provides that for the purpose of Section 3A, any electronic signature or electronic authentication technique shall be considered reliable if:
    • The signature creation data or the authentication data are, within the context in which they are used, linked to the signatory or, as the case may be, the authenticator and to no other person;
    • the signature creation data or the authentication data were, at the time of signing, under the control of the signatory or, as the case may be, the authenticator and no other person;
    • any alteration to the electronic signature made after affixing such signature is detectable
    • any alteration to the information made after its authentication by electronic signature is detectable
    • it fulfills such other conditions which may be prescribed.
  • Secure Electronic Signature: It has been defined under Section 15 of the IT Act which states that an electronic signature shall be deemed to be a secured electronic signature if
    • The signature creation data, at the time of affixing the signature, was under the exclusive control of signatory and no other person
    • The signature creation data was stored and affixed in such an exclusive manner as may be prescribed.

section 16 of the Act confers powers on the Central Government to prescribe security procedures and practice related to secure electronic signature. In exercise of this power, the Central Government notified the Information Technology (Security Procedures) Rules, 2004, which specify that a secure electronic record is one, which has been affixed with a digital signature, thereby excluding all other forms of electronic signatures form the definition of secure electronic records. Rule 4 sets out the procedure to be applied for deeming a digital signature, as a secure digital signature.
The list briefly is:

  • that the smart card or hardware token, as the case may be, with a cryptographic module, in it, is used to create the key pair
  • that the private key used to create the digital signature always remains in the smart card or hardware token as the case may be
  • that the hash of the content to be signed is taken from the host system to the smart card or hardware token and the private key is used to create the digital signature and the signed hash is returned to the host system
  • that the information contained in the smart card or hardware token, as the case may be, is solely under the control of the person who is purported to have created the digital signature
  • that the digital signature can be verified by using the public key listed in the Digital Signature Certificate issued to that person
  • that the standards referred to in rule 6 of the Information Technology (Certifying Authorities) Rules, 2000 have been complied with, in so far as they relate to the creation, storage, and transmission of the digital signature
  • that the digital signature is linked to the electronic record in such a manner that if the electronic record was altered the digital signature would be invalidated.

Digital signature: Digital signature form part of the broad head of electronic signature as set out above. The primary difference is in the level of security attached to the digital signature, which flows from the technology used. While all forms of authentication including through a password may fall within the definition of electronic signature, the electronic technique required for digital signature is that which is specified under the IT Act, which is asymmetric crypto-system and hash function. Section 2 (p) of the IT Act defines digital signature as ‘authentication of electronic record by a subscriber by means of an electronic method or procedure in accordance with the provision of section 3 of the Act.
Encryption, through cryptographic tools, is used to generate a digital signature. Digital signatures use the asymmetric crypto system, which has a public key available to all and a private key that will be or is required to be retained only with the subscriber. The private and public keys together are referred to as a 'key pair.' The key pair is computer generated using encryption tolls and is not manually created. The public key will be listed in the digital signature certificate which will be issued by a certifying authority, and the private key will be with the subscriber to such a digital signature, which will be used for executing an electronic record by applying such digital signature. Section 3 of the IT Act provides for authentication of electronic records through digital signature through the use of the asymmetric crypto system and hash function which envelops and transforms the initial electronic record into another electronic record. The hash function has been defined in the explanation to Section 3 of the IT Act as under: For the purposes of this sub-section, hash function means an algorithm mapping or translation of one sequence of bits into another, generally smaller, set known as hash result such that an electronic record yields the same hash result every time the algorithm is executed with the same electronic record as its input making it computationally infeasible
a. to derive or reconstruct the original electronic record from the hash result produced by the algorithm;
b. that two electronic records can produce the same hash result using the algorithm. Hash function is a computer-generated calculation of the value of each electronic record which ensures authenticity and integrity of the electronic record. The hash value is derived through an algorithm, which maps a set of bits into smaller code. In Shree Balaji Export Corporation vs. Food Corporation of India, the Punjab and Haryana High Court dealt with signing of a tender document using digital signatures. The petitioner's tender had been rejected for want of signatures in the annexures. The court held that digital signatures were a secure way of authenticating electronic records, which was recognised under Section 2 (1) (p) and (q) of the IT Act, and that even the tender document permitted online submission to be digitally signed using digital signature certificates and hence quashed the respondent’s order rejecting the petitioner’s bid. It should be noted that, unlike section 85B of the Indian Evidence Act, which has a provision establishing a presumption regarding the intention of a signer using a secure electronic signature, there is no such presumption of intention for a digital signature. Therefore, when the document is authenticated using a digital signature, which may or may not indicate the intention of a signer to approve the content of the document, the inclusion or exclusion of evidence relating to this signature will be a matter of procedure, rules, and the court's ex-post-facto rationalization. Though all these kinds of electronic signatures have been given legal recognition by the IT Act, however evidentiary value of each of them may vary. According to Section 67A of the Evidence Act, except in case of a secure electronic signature, if the electronic signature of any subscriber is alleged to have been affixed to an electronic record the fact that such electronic signature is the electronic signature of the subscriber must be proved. Furthermore, the Central Government has been given the authority to prescribe the procedures for the purpose of ascertaining whether the person, to whom an electronic signature belongs, has in affixed it. It has also been given the authority to accept or reject methodologies for authentication of electronic signature and all such changes are to be placed before Parliament for confirmation. Section 10 of the IT Act also confers powers on the Central Government to prescribe rules for the issuance of electronic signature.